XP won't authenticate with EAP TLS - log shows unknown_ca fatal error
Problem statement: XP won't authenticate with EAP TLS and FreeRADIUS debug logs (appended) shows unknown_ca fatal error Background: I've been following the 3-part series instructions outlined in the Linux Journal series starting at: http://www.linuxjournal.com/article/8017 "Paranoid Penguin - Securing WLANs with WPA and FreeRADIUS, Part I" I chose to start with this article as it was one of the most recent tutorials I could find on the topic of FreeRADIUS and EAP TLS. I'm running: SuSE 9.2 Pro FreeRADIUS version 1.0.0 Oct 5, 2004, 00:13:22 (installed from SuSE Yast and distro DVD) OpenSSL 0.9.7d 17 Mar 2004 I've read everything I can find on unknown_ca but cannot find any solutions and the Linux Journal article, while good, doesn't do much to help when something goes wrong. I've made it quite a ways into this install and think I'm close, but I just do not know where to go next or what to try. One question I have on the Linux Journal article: At the point of using openssl to convert the client cert to pkcs12 format, it says "You are prompted for client_key.pem's passphrase and then for a new passphrase for the new file; you can use the same password as before if you like. You may be tempted to press Enter instead, especially given that the WPA supplicant in Windows XP works only when you store its certificates without a passphrases..." I've tried generate the client p12 file both ways and reimporting to XP's Personal Certificates to no avail. Is that pkcs12 passphrase assertion still true for XP supplicant? Either way, with or without, I can't get this to work, so that must not be the issue. I have also tried un-checking the "Validate Server Certificate" in the 802.1x settings of XP for that Access Point. I get the same error, so the error seems to indicate an issue with not being able to deal with the client side cert? I've imported both the cacert.pem into my Trusted Root Certs in XP and the client_cert.p12 into "Personal->Certificates". There were no steps indicated I needed to import server cert on the XP side (which doesn't make sense anyway...just noting here that for diagnostic purposes.) Any help towards solving this issue would be very much appreciated. Now for the debug log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_key.pem" tls: certificate_file = "/etc/raddb/certs/server_cert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "capasswd" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/ detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.59:1075, id=165, length=167 Message-Authenticator = 0x70dbfbdbb80a0132ab36ea91639115a7 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000a01333630564c NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 165 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb75fcb695cff41098dcdde96721a715 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=166, length=255 Message-Authenticator = 0x1a26f3a01ff1ea192ae8660258ff07a3 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0xeb75fcb695cff41098dcdde96721a715 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020100500d800000004616030100410100003d030142f390d929fcbdc42804368a39fe a1de8e5033352c8556ede0a5f441cfb7492300001600040005000a000900640062000300 060013001200630100 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 062b], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 166 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0102040a0dc00000071d160301004a02000046030142f390985a8abe09d131a2f9e13d fecad96ddd392d9d8b3070c9b63cae9e8e6c20f18fbf2845995fae88dae4ee8b3a17fbdd 1c58f26c914d243f432c3f12a12850000400160301062b0b0006270006240002ac308202 a830820211a003020102020101300d06092a864886f70d0101040500308187310b300906 03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407 1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049 6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648 86f7 EAP-Message = 0x0d010901160e696e666f40333630766c2e636f6d301e170d3035303830353135313034 305a170d3036303830353135313034305a308192310b3009060355040613025553311130 0f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f20 537072696e6773311b3019060355040a1312333630564c20496e636f72706f7261746564 3119301706035504031310636f707065722e333630766c2e636f6d311d301b06092a8648 86f70d010901160e696e666f40333630766c2e636f6d30819f300d06092a864886f70d01 0101050003818d0030818902818100b2a8e575361b42490538c4ed2247ad4df5abc181da c9ed EAP-Message = 0x95d835a509bf155163928ba6119defdbfab08ee7a195f6d7dc261d1ff95994f8cca744 57327260e5814422485945ee4714ecb35820520be84ff4620497cd4daa6bbe6780b07b73 ea7452db5a55684b2c13d40d0e2add84c7979c056f2a17fe1b96fb3afd85f6bddfc50203 010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886 f70d0101040500038181001ac5a999fdb7bb40a77a34ecff459e4bbed2583cc0cca87080 566061428bb88ad090c7db85db96c07dc195a512bdae84849c112036af44b9320e8c0c91 35a6f502731fe2507dbf3a337317f739c70a561f3c7d9504293301a6b321574d22509f69 6948 EAP-Message = 0xe479ed655c56041259d23a0713e28a6206517e4e10349839d5dfee6a56000372308203 6e308202d7a003020102020100300d06092a864886f70d0101040500308187310b300906 03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407 1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049 6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648 86f70d010901160e696e666f40333630766c2e636f6d301e170d30353038303531353036 32355a170d3036303830353135303632355a308187310b30090603550406130255533111 300f EAP-Message = 0x06035504081308436f6c6f7261646f31193017060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc5258593a428dfd0124288d31ba9eb20 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=167, length=181 Message-Authenticator = 0x7a06c1de0bcf813186df0d4425d9f50e Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0xc5258593a428dfd0124288d31ba9eb20 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200060d00 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 167 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010303270d800000071d04071310436f6c6f7261646f20537072696e6773311b301906 0355040a1312333630564c20496e636f72706f7261746564310e300c0603550403130533 3630564c311d301b06092a864886f70d010901160e696e666f40333630766c2e636f6d30 819f300d06092a864886f70d010101050003818d0030818902818100c1e36a58cf62e3ae df95552d32ec708012aded9061932aee060840cae5a20c8fa8ea72ba1f21253454a79c27 799f309812d703e7bcf414044dfc3b8ea2702c0cb9a912a15e110962d8c5229ea6e7404e c1b28bb85f69c93f503dc4195926e8f0f621aacb7337fd8da8af009e6d5896647af6c198 5955 EAP-Message = 0x1e5ce9db7367fd90c8870203010001a381e73081e4301d0603551d0e04160414ca07e0 025ebeb3f17c26b027e597f97cfc5777493081b40603551d230481ac3081a98014ca07e0 025ebeb3f17c26b027e597f97cfc577749a1818da4818a308187310b3009060355040613 0255533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c 6f7261646f20537072696e6773311b3019060355040a1312333630564c20496e636f7270 6f7261746564310e300c06035504031305333630564c311d301b06092a864886f70d0109 01160e696e666f40333630766c2e636f6d820100300c0603551d13040530030101ff300d 0609 EAP-Message = 0x2a864886f70d01010405000381810053b790c3ef4f488e5b3c018545d4d2b91ab028c4 7c547ecbdff6a152f80b52c4f6fbc3d074779ed87fb047a844bc473d6c417048b74409df 5727543b8da49cef8c651ac4598c27ce116d58c5fa0337e44e1b81c2a72935f2e2e13a8b 8ebbcc883c9135de3a11e8798abe9fb7828028d0c2ab4542e13ff7c629214fed18f086f5 16030100990d000091020102008c008a308187310b30090603550406130255533111300f 06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f2053 7072696e6773311b3019060355040a1312333630564c20496e636f72706f726174656431 0e30 EAP-Message = 0x0c06035504031305333630564c311d301b06092a864886f70d010901160e696e666f40 333630766c2e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd3a7a2876fe028447b05a62c6f56ea76 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=168, length=1190 Message-Authenticator = 0x0a1661fc6d58ef65de8bf05f6a442100 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0xd3a7a2876fe028447b05a62c6f56ea76 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020303f10d80000003e716030103b70b0002a70002a40002a13082029d30820206a003 020102020102300d06092a864886f70d0101040500308187310b30090603550406130255 533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f72 61646f20537072696e6773311b3019060355040a1312333630564c20496e636f72706f72 61746564310e300c06035504031305333630564c311d301b06092a864886f70d01090116 0e696e666f40333630766c2e636f6d301e170d3035303830353135313335335a170d3036 303830353135313335335a308187310b30090603550406130255533111300f0603550408 1308 EAP-Message = 0x436f6c6f7261646f3119301706035504071310436f6c6f7261646f20537072696e6773 311b3019060355040a1312333630564c20496e636f72706f7261746564310e300c060355 04031305333630564c311d301b06092a864886f70d010901160e696e666f40333630766c 2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ccbbdc b09846dcd91ca4d52b83d090144dd17379a121e0dfe4333eac31e4ecab9ddc5c161f372a c3d29dd07620ab1ef80302682a2e74a9715690651458d601326a99eccb3c8f07bd7db896 d5797a559e1480a2691afd76ae30f91b952705e315fc1c4a6072b442aa78f05946338ef8 5b9c EAP-Message = 0xf9dde843c5bc1ece843f1414d4444d0203010001a317301530130603551d25040c300a 06082b06010505070302300d06092a864886f70d010104050003818100763976dd9a2f05 81394d8cf9680bc788e97e06a77759d79cb50f4b1d06dcad24112081efbfeb6850e8131a 60e4a7406708d93005ab50cc5448c1caa94ff090f42645f0e0dd0bdb85742f8c804fed33 2f48d68f5ebb4f327a4ecd1452b6032eb6f657d2867659380235bab98316528ec20b9855 5d5bdf93d8c594ef593b3f81911000008200809f1ebfd92a15800034c04c8a49af03ace9 740f760bce20bcfa1d54e882e44b5a61852c476702eeffbf1c9380c5e56cc8fc647b82fd b28b EAP-Message = 0x7688f3c1ab9f0d9e688800c158a425f464d06eea90583411d1603ab65f6f6d0aa7901a 6b288a16d1f745834497f99a0659c77bbdce4d4f9239373ab40b99857ab10f8de72bc9c9 74160f00008200802c85ac1155a0e0cce2716888890728287ac6d449ecfaf9480420f31a 9d04c4ffddab974cfddb9c992682fb94e4ba1adbdc8807fdff0f350a9ded1e9d17572796 8054e1f879072230dbfde1bc60f581554d7c54b5745f9bed2f86dceaf11e152462d0ba71 7df029f3753e3679803160309931f5eeb10fa4a2b3df4876ae0aa8631403010001011603 0100205cae2f6bb96df0c4d92cbb42362de07293ecd73f2f2e48f7ce42f235107820db NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate --> verify error:num=18:self signed certificate chain-depth=0, error=18 --> User-Name = 360VL --> BUF-Name = 360VL --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 168 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010400110d800000000715030100020230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x107dc1452fdb7d1314512bc4d7d9b173 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=169, length=181 Message-Authenticator = 0x4fe8511906befacbdea9b16b43158663 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0x107dc1452fdb7d1314512bc4d7d9b173 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=169, length=181 Sending Access-Reject of id 169 to 192.168.5.59:1075 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=170, length=167 Message-Authenticator = 0x8071ba7139288a5d4eaf417b07e8488a Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000a01333630564c NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 170 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b76a7305f1a54c116e95a56da193528 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=171, length=167 Message-Authenticator = 0x536ad3d398545cb133dd088d08575af0 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0202000a01333630564c NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 171 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0a7243677871b927d0cd5d13a0eb4166 Finished request 6 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=172, length=255 Message-Authenticator = 0xbbc4d103a1ea7017be31b1f93cc303b7 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0x0a7243677871b927d0cd5d13a0eb4166 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300500d800000004616030100410100003d030142f390db8a634fbe9ea8d2cb1a86 cc43d9d6cc7be556720178af5cbbf49af4b400001600040005000a000900640062000300 060013001200630100 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 062b], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 172 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0104040a0dc00000071d160301004a02000046030142f3909a4e2851d1e4bd63c58a11 4fb87326da069a327e9ce84767108513edfd206424e4a88c3433368a8e62962cf0f4dca7 507a95f1d61e0c052687dbd817b4cb000400160301062b0b0006270006240002ac308202 a830820211a003020102020101300d06092a864886f70d0101040500308187310b300906 03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407 1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049 6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648 86f7 EAP-Message = 0x0d010901160e696e666f40333630766c2e636f6d301e170d3035303830353135313034 305a170d3036303830353135313034305a308192310b3009060355040613025553311130 0f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f20 537072696e6773311b3019060355040a1312333630564c20496e636f72706f7261746564 3119301706035504031310636f707065722e333630766c2e636f6d311d301b06092a8648 86f70d010901160e696e666f40333630766c2e636f6d30819f300d06092a864886f70d01 0101050003818d0030818902818100b2a8e575361b42490538c4ed2247ad4df5abc181da c9ed EAP-Message = 0x95d835a509bf155163928ba6119defdbfab08ee7a195f6d7dc261d1ff95994f8cca744 57327260e5814422485945ee4714ecb35820520be84ff4620497cd4daa6bbe6780b07b73 ea7452db5a55684b2c13d40d0e2add84c7979c056f2a17fe1b96fb3afd85f6bddfc50203 010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886 f70d0101040500038181001ac5a999fdb7bb40a77a34ecff459e4bbed2583cc0cca87080 566061428bb88ad090c7db85db96c07dc195a512bdae84849c112036af44b9320e8c0c91 35a6f502731fe2507dbf3a337317f739c70a561f3c7d9504293301a6b321574d22509f69 6948 EAP-Message = 0xe479ed655c56041259d23a0713e28a6206517e4e10349839d5dfee6a56000372308203 6e308202d7a003020102020100300d06092a864886f70d0101040500308187310b300906 03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407 1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049 6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648 86f70d010901160e696e666f40333630766c2e636f6d301e170d30353038303531353036 32355a170d3036303830353135303632355a308187310b30090603550406130255533111 300f EAP-Message = 0x06035504081308436f6c6f7261646f31193017060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2b080bfcb34d8cbd3fbbb69d15050d3 Finished request 7 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=173, length=181 Message-Authenticator = 0x7f76805cf32b6ca33cfdf4e43a6667f5 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0xc2b080bfcb34d8cbd3fbbb69d15050d3 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 173 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010503270d800000071d04071310436f6c6f7261646f20537072696e6773311b301906 0355040a1312333630564c20496e636f72706f7261746564310e300c0603550403130533 3630564c311d301b06092a864886f70d010901160e696e666f40333630766c2e636f6d30 819f300d06092a864886f70d010101050003818d0030818902818100c1e36a58cf62e3ae df95552d32ec708012aded9061932aee060840cae5a20c8fa8ea72ba1f21253454a79c27 799f309812d703e7bcf414044dfc3b8ea2702c0cb9a912a15e110962d8c5229ea6e7404e c1b28bb85f69c93f503dc4195926e8f0f621aacb7337fd8da8af009e6d5896647af6c198 5955 EAP-Message = 0x1e5ce9db7367fd90c8870203010001a381e73081e4301d0603551d0e04160414ca07e0 025ebeb3f17c26b027e597f97cfc5777493081b40603551d230481ac3081a98014ca07e0 025ebeb3f17c26b027e597f97cfc577749a1818da4818a308187310b3009060355040613 0255533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c 6f7261646f20537072696e6773311b3019060355040a1312333630564c20496e636f7270 6f7261746564310e300c06035504031305333630564c311d301b06092a864886f70d0109 01160e696e666f40333630766c2e636f6d820100300c0603551d13040530030101ff300d 0609 EAP-Message = 0x2a864886f70d01010405000381810053b790c3ef4f488e5b3c018545d4d2b91ab028c4 7c547ecbdff6a152f80b52c4f6fbc3d074779ed87fb047a844bc473d6c417048b74409df 5727543b8da49cef8c651ac4598c27ce116d58c5fa0337e44e1b81c2a72935f2e2e13a8b 8ebbcc883c9135de3a11e8798abe9fb7828028d0c2ab4542e13ff7c629214fed18f086f5 16030100990d000091020102008c008a308187310b30090603550406130255533111300f 06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f2053 7072696e6773311b3019060355040a1312333630564c20496e636f72706f726174656431 0e30 EAP-Message = 0x0c06035504031305333630564c311d301b06092a864886f70d010901160e696e666f40 333630766c2e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x46be83586ea1540428f18bc0d43999e2 Finished request 8 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=174, length=1190 Message-Authenticator = 0x3ea36373b58083333020105f98fcc6f9 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0x46be83586ea1540428f18bc0d43999e2 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020503f10d80000003e716030103b70b0002a70002a40002a13082029d30820206a003 020102020102300d06092a864886f70d0101040500308187310b30090603550406130255 533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f72 61646f20537072696e6773311b3019060355040a1312333630564c20496e636f72706f72 61746564310e300c06035504031305333630564c311d301b06092a864886f70d01090116 0e696e666f40333630766c2e636f6d301e170d3035303830353135313335335a170d3036 303830353135313335335a308187310b30090603550406130255533111300f0603550408 1308 EAP-Message = 0x436f6c6f7261646f3119301706035504071310436f6c6f7261646f20537072696e6773 311b3019060355040a1312333630564c20496e636f72706f7261746564310e300c060355 04031305333630564c311d301b06092a864886f70d010901160e696e666f40333630766c 2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ccbbdc b09846dcd91ca4d52b83d090144dd17379a121e0dfe4333eac31e4ecab9ddc5c161f372a c3d29dd07620ab1ef80302682a2e74a9715690651458d601326a99eccb3c8f07bd7db896 d5797a559e1480a2691afd76ae30f91b952705e315fc1c4a6072b442aa78f05946338ef8 5b9c EAP-Message = 0xf9dde843c5bc1ece843f1414d4444d0203010001a317301530130603551d25040c300a 06082b06010505070302300d06092a864886f70d010104050003818100763976dd9a2f05 81394d8cf9680bc788e97e06a77759d79cb50f4b1d06dcad24112081efbfeb6850e8131a 60e4a7406708d93005ab50cc5448c1caa94ff090f42645f0e0dd0bdb85742f8c804fed33 2f48d68f5ebb4f327a4ecd1452b6032eb6f657d2867659380235bab98316528ec20b9855 5d5bdf93d8c594ef593b3f819110000082008017b86f4025160fcf01c703fc64ae1cc08b cc734196507bddff87d6cfe97ae57f284a98976ab69f278c20d9e29eb37dca36c06b2ffb eca3 EAP-Message = 0x8fa19bb0e069266e74d2fd52e4c784892cf6eed652723b7b1800acfc0f79d324f13b5c ea2819b4c710a126b5182cf510b36901e8175571a25908b4432f580dafbf5f344f1dacdc d03f0f000082008022b85e222f7e51d8ab7064bb66fdcfaa4e5e19533975f958ce4232d2 2923fb753b05d8a631506848aefd3a4ad6cf1425935cf0b8ac3054b608c394b1d35a0646 eafc858c495206d9cb277a3129aff3bab030f860e4387e235b2e5c53219c5e86c5f3eee1 1ad88feea95fdb327a920ed287142a9c19d1807ae88af91c7e93e2ab1403010001011603 010020d30f49c2ee685496c0b673f3c30ace4e9d068b37f57937dee17f73cc7aee525e NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate --> verify error:num=18:self signed certificate chain-depth=0, error=18 --> User-Name = 360VL --> BUF-Name = 360VL --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: group authenticate returns handled for request 9 Sending Access-Challenge of id 174 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010600110d800000000715030100020230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfc76e05422193720d431a9e96db434ad Finished request 9 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=175, length=181 Message-Authenticator = 0x3cb38e214ac8af13cae93335934db928 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0xfc76e05422193720d431a9e96db434ad Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020600060d00 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 10 modcall: group authorize returns updated for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 10 modcall: group authenticate returns invalid for request 10 auth: Failed to validate the user. Delaying request 10 for 1 seconds Finished request 10 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=175, length=181 Sending Access-Reject of id 175 to 192.168.5.59:1075 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=176, length=167 Message-Authenticator = 0xed8dfb1d74dd2d45a5aa491086fc34d7 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000a01333630564c NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 modcall[authorize]: module "chap" returns noop for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 11 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 11 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 11 modcall: group authorize returns updated for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 11 modcall: group authenticate returns handled for request 11 Sending Access-Challenge of id 176 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x477c55c8220b91dbaaf48dec55693784 Finished request 11 Going to the next request --- Walking the entire request list --- Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=177, length=167 Message-Authenticator = 0xf2ffc7d2b55b48a295ea98c02dd2beba Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0202000a01333630564c NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 modcall[authorize]: module "preprocess" returns ok for request 12 modcall[authorize]: module "chap" returns noop for request 12 modcall[authorize]: module "mschap" returns noop for request 12 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 12 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 12 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 12 modcall: group authorize returns updated for request 12 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 12 modcall: group authenticate returns handled for request 12 Sending Access-Challenge of id 177 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5132de59d6e9fa7406d5a3a7fd916460 Finished request 12 Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=178, length=255 Message-Authenticator = 0x1dd14c9ef65e83a0230f1870c2339f1d Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0x5132de59d6e9fa7406d5a3a7fd916460 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300500d800000004616030100410100003d030142f390ddb61a462925787781e43b 633cd37484dcbb2f065295ea83ef3f32d69d00001600040005000a000900640062000300 060013001200630100 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "chap" returns noop for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 13 modcall: group authorize returns updated for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 062b], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 13 modcall: group authenticate returns handled for request 13 Sending Access-Challenge of id 178 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0104040a0dc00000071d160301004a02000046030142f3909c147f72795543365b423d 357307980b8bfeadf7b73a6872c7d925d1b220dd77b106135ce0d8f7882941c54cfa5c9a db0969ab8fac2df1d21b212c9ef0ad000400160301062b0b0006270006240002ac308202 a830820211a003020102020101300d06092a864886f70d0101040500308187310b300906 03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407 1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049 6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648 86f7 EAP-Message = 0x0d010901160e696e666f40333630766c2e636f6d301e170d3035303830353135313034 305a170d3036303830353135313034305a308192310b3009060355040613025553311130 0f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f20 537072696e6773311b3019060355040a1312333630564c20496e636f72706f7261746564 3119301706035504031310636f707065722e333630766c2e636f6d311d301b06092a8648 86f70d010901160e696e666f40333630766c2e636f6d30819f300d06092a864886f70d01 0101050003818d0030818902818100b2a8e575361b42490538c4ed2247ad4df5abc181da c9ed EAP-Message = 0x95d835a509bf155163928ba6119defdbfab08ee7a195f6d7dc261d1ff95994f8cca744 57327260e5814422485945ee4714ecb35820520be84ff4620497cd4daa6bbe6780b07b73 ea7452db5a55684b2c13d40d0e2add84c7979c056f2a17fe1b96fb3afd85f6bddfc50203 010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886 f70d0101040500038181001ac5a999fdb7bb40a77a34ecff459e4bbed2583cc0cca87080 566061428bb88ad090c7db85db96c07dc195a512bdae84849c112036af44b9320e8c0c91 35a6f502731fe2507dbf3a337317f739c70a561f3c7d9504293301a6b321574d22509f69 6948 EAP-Message = 0xe479ed655c56041259d23a0713e28a6206517e4e10349839d5dfee6a56000372308203 6e308202d7a003020102020100300d06092a864886f70d0101040500308187310b300906 03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407 1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049 6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648 86f70d010901160e696e666f40333630766c2e636f6d301e170d30353038303531353036 32355a170d3036303830353135303632355a308187310b30090603550406130255533111 300f EAP-Message = 0x06035504081308436f6c6f7261646f31193017060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65e62c501c4cec769c8d45a40faf9a67 Finished request 13 Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=179, length=181 Message-Authenticator = 0x4b1d387a1df61d3afeff11b22d27432f Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0x65e62c501c4cec769c8d45a40faf9a67 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "chap" returns noop for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 14 modcall: group authorize returns updated for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 14 modcall: group authenticate returns handled for request 14 Sending Access-Challenge of id 179 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010503270d800000071d04071310436f6c6f7261646f20537072696e6773311b301906 0355040a1312333630564c20496e636f72706f7261746564310e300c0603550403130533 3630564c311d301b06092a864886f70d010901160e696e666f40333630766c2e636f6d30 819f300d06092a864886f70d010101050003818d0030818902818100c1e36a58cf62e3ae df95552d32ec708012aded9061932aee060840cae5a20c8fa8ea72ba1f21253454a79c27 799f309812d703e7bcf414044dfc3b8ea2702c0cb9a912a15e110962d8c5229ea6e7404e c1b28bb85f69c93f503dc4195926e8f0f621aacb7337fd8da8af009e6d5896647af6c198 5955 EAP-Message = 0x1e5ce9db7367fd90c8870203010001a381e73081e4301d0603551d0e04160414ca07e0 025ebeb3f17c26b027e597f97cfc5777493081b40603551d230481ac3081a98014ca07e0 025ebeb3f17c26b027e597f97cfc577749a1818da4818a308187310b3009060355040613 0255533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c 6f7261646f20537072696e6773311b3019060355040a1312333630564c20496e636f7270 6f7261746564310e300c06035504031305333630564c311d301b06092a864886f70d0109 01160e696e666f40333630766c2e636f6d820100300c0603551d13040530030101ff300d 0609 EAP-Message = 0x2a864886f70d01010405000381810053b790c3ef4f488e5b3c018545d4d2b91ab028c4 7c547ecbdff6a152f80b52c4f6fbc3d074779ed87fb047a844bc473d6c417048b74409df 5727543b8da49cef8c651ac4598c27ce116d58c5fa0337e44e1b81c2a72935f2e2e13a8b 8ebbcc883c9135de3a11e8798abe9fb7828028d0c2ab4542e13ff7c629214fed18f086f5 16030100990d000091020102008c008a308187310b30090603550406130255533111300f 06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f2053 7072696e6773311b3019060355040a1312333630564c20496e636f72706f726174656431 0e30 EAP-Message = 0x0c06035504031305333630564c311d301b06092a864886f70d010901160e696e666f40 333630766c2e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x031c5f5e68c7d536cfa34b376c9b050a Finished request 14 Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=180, length=1190 Message-Authenticator = 0x1491be9e5a592e4eae8a415b232ab21e Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0x031c5f5e68c7d536cfa34b376c9b050a Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020503f10d80000003e716030103b70b0002a70002a40002a13082029d30820206a003 020102020102300d06092a864886f70d0101040500308187310b30090603550406130255 533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f72 61646f20537072696e6773311b3019060355040a1312333630564c20496e636f72706f72 61746564310e300c06035504031305333630564c311d301b06092a864886f70d01090116 0e696e666f40333630766c2e636f6d301e170d3035303830353135313335335a170d3036 303830353135313335335a308187310b30090603550406130255533111300f0603550408 1308 EAP-Message = 0x436f6c6f7261646f3119301706035504071310436f6c6f7261646f20537072696e6773 311b3019060355040a1312333630564c20496e636f72706f7261746564310e300c060355 04031305333630564c311d301b06092a864886f70d010901160e696e666f40333630766c 2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ccbbdc b09846dcd91ca4d52b83d090144dd17379a121e0dfe4333eac31e4ecab9ddc5c161f372a c3d29dd07620ab1ef80302682a2e74a9715690651458d601326a99eccb3c8f07bd7db896 d5797a559e1480a2691afd76ae30f91b952705e315fc1c4a6072b442aa78f05946338ef8 5b9c EAP-Message = 0xf9dde843c5bc1ece843f1414d4444d0203010001a317301530130603551d25040c300a 06082b06010505070302300d06092a864886f70d010104050003818100763976dd9a2f05 81394d8cf9680bc788e97e06a77759d79cb50f4b1d06dcad24112081efbfeb6850e8131a 60e4a7406708d93005ab50cc5448c1caa94ff090f42645f0e0dd0bdb85742f8c804fed33 2f48d68f5ebb4f327a4ecd1452b6032eb6f657d2867659380235bab98316528ec20b9855 5d5bdf93d8c594ef593b3f81911000008200804992c539a78d668390fe37e7791bfd398c 439a5bb8b3899c906dc1112606f7e03ed376d7ccf86c0f2ce99988117f04c59225c98b5f a5bc EAP-Message = 0x3136bbbdec6f4745dcc502e3e287131e93241f624c2b2042af8985203ec6098b9069ef 29594e7d936ac6599f22a890787ee14d7c3f1d6e2fadcb305e5cce766d0e0a338980aebb 24420f00008200804465675875b0c9ec0bb347d497a635a948b2387604fe5a9c4cdec47a 2ab70b371279d0a7e05007fbfee9c45cf57b3e8fb016d1099ab443ef08d21570577706e8 09de1a74e65c69f739207b2b2de53ff5d8bf1a87141f098dc5f9516ca817919fc1847728 8a79bfc711dcaabb47645e61f641653f91ce6f9f03d9b3050b89ad421403010001011603 010020aa8f644dc9b4649dd21740ab8541ccb568e37a47cae11a0173e6e50a616b483d NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module "preprocess" returns ok for request 15 modcall[authorize]: module "chap" returns noop for request 15 modcall[authorize]: module "mschap" returns noop for request 15 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 15 rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate --> verify error:num=18:self signed certificate chain-depth=0, error=18 --> User-Name = 360VL --> BUF-Name = 360VL --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 15 modcall: group authenticate returns handled for request 15 Sending Access-Challenge of id 180 to 192.168.5.59:1075 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010600110d800000000715030100020230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8ab204f06d545924a370c20bd5b91c4 Finished request 15 Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=181, length=181 Message-Authenticator = 0x212a50be58cd4ed3d2bb744a9400d174 Service-Type = Framed-User User-Name = "360VL" Framed-MTU = 1488 State = 0xc8ab204f06d545924a370c20bd5b91c4 Called-Station-Id = "000FB57A156E:360VL" Calling-Station-Id = "000BCD56E3CB" NAS-Identifier = "360VL" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020600060d00 NAS-IP-Address = 192.168.5.59 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module "preprocess" returns ok for request 16 modcall[authorize]: module "chap" returns noop for request 16 modcall[authorize]: module "mschap" returns noop for request 16 rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 16 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 16 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 16 modcall: group authorize returns updated for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 16 modcall: group authenticate returns invalid for request 16 auth: Failed to validate the user. Delaying request 16 for 1 seconds Finished request 16 Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.5.59:1075, id=181, length=181 Sending Access-Reject of id 181 to 192.168.5.59:1075 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 165 with timestamp 42f39098 Cleaning up request 1 ID 166 with timestamp 42f39098 Cleaning up request 2 ID 167 with timestamp 42f39098 Cleaning up request 3 ID 168 with timestamp 42f39098 Cleaning up request 4 ID 169 with timestamp 42f39098 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 170 with timestamp 42f3909a Cleaning up request 6 ID 171 with timestamp 42f3909a Cleaning up request 7 ID 172 with timestamp 42f3909a Cleaning up request 8 ID 173 with timestamp 42f3909a Cleaning up request 9 ID 174 with timestamp 42f3909a Cleaning up request 10 ID 175 with timestamp 42f3909a Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 11 ID 176 with timestamp 42f3909c Cleaning up request 12 ID 177 with timestamp 42f3909c Cleaning up request 13 ID 178 with timestamp 42f3909c Cleaning up request 14 ID 179 with timestamp 42f3909c Cleaning up request 15 ID 180 with timestamp 42f3909c Cleaning up request 16 ID 181 with timestamp 42f3909c Nothing to do. Sleeping until we see a request.
Hi Landon, I think this piece from the log is suspicious:
rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate --> verify error:num=18:self signed certificate chain-depth=0, error=18 --> User-Name = 360VL --> BUF-Name = 360VL --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
I think the problem is the user certificate that you imported into XP is "self-signed". What you need to do is use openssl to create a certificate request (using openssl req ...) and then sign that request using the CA (using openssl ca). Then package up the user key and signed user cert into the pkcs#12 envelope (using openssl pkcs12). Finally import into XP. I looked at the instructions for certificate generation in the linux format article and they look OK. Make sure you did not miss a step or use the wrong command somewhere. As to using a password for the pkcs#12 envelope, go ahead and use it. When you import the pkcs#12 file into XP, it will just ask for it, and you enter it, and that should be it. Hope that helps. Michael
Thanks for looking at this, Michael. I decided to restart the certificate generation process and did it again from scratch following the article. Same results. I did it a 3rd time and but this time copied the certs to /etc/ssl/ certs and insured all CNs were unique (not being completely up on what is right or wrong w/r to input values for the cert process or what directories the new certs needed to live in, I wanted to make sure that wasn't an issue.) So, one of those actions did the trick and I haven't gone back to isolate which one. After that I was able to login - authenticated in both directions, too. I did go ahead and do the pkcs export password and that worked fine. I'm not sure what Bauer's comment was referring to in the article about XP supplicants only working with non-pw protected certs in the store. Oh well, it's up and working and I'm grateful. Thank you, Landon On Aug 5, 2005, at 4:30 PM, Michael Wang wrote:
Hi Landon,
I think this piece from the log is suspicious:
rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate --> verify error:num=18:self signed certificate chain-depth=0, error=18 --> User-Name = 360VL --> BUF-Name = 360VL --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
I think the problem is the user certificate that you imported into XP is "self-signed". What you need to do is use openssl to create a certificate request (using openssl req ...) and then sign that request using the CA (using openssl ca). Then package up the user key and signed user cert into the pkcs#12 envelope (using openssl pkcs12). Finally import into XP. I looked at the instructions for certificate generation in the linux format article and they look OK. Make sure you did not miss a step or use the wrong command somewhere.
As to using a password for the pkcs#12 envelope, go ahead and use it. When you import the pkcs#12 file into XP, it will just ask for it, and you enter it, and that should be it.
Hope that helps.
Michael
Hi,
I chose to start with this article as it was one of the most recent tutorials I could find on the topic of FreeRADIUS and EAP TLS.
strange. the EAP-TLS HOWTO seems uite straight forward. everything else is a rewrite of this guide.
if you like. You may be tempted to press Enter instead, especially given that the WPA supplicant in Windows XP works only when you store its certificates without a passphrases..." I've tried generate the
interesting. we've used pass phrases...stops people just copying the certificate onto any unknown machine.
client p12 file both ways and reimporting to XP's Personal Certificates to no avail. Is that pkcs12 passphrase assertion still true for XP supplicant? Either way, with or without, I can't get this to work, so that must not be the issue.
did you use the extra XP SSL additions as per the EAP-TLS HOWTO?
I have also tried un-checking the "Validate Server Certificate" in the 802.1x settings of XP for that Access Point. I get the same error, so the error seems to indicate an issue with not being able to deal with the client side cert?
I've imported both the cacert.pem into my Trusted Root Certs in XP and the client_cert.p12 into "Personal->Certificates". There were no steps indicated I needed to import server cert on the XP side (which doesn't make sense anyway...just noting here that for diagnostic purposes.)
Any help towards solving this issue would be very much appreciated.
Now for the debug log:
TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B
though this seems to suggest that your FreeRADIUS doesnt know much about this certificate. I'd check the eap.conf file alan
On Aug 7, 2005, at 7:47 AM, A.L.M.Buxey@lboro.ac.uk wrote:
I chose to start with this article as it was one of the most recent tutorials I could find on the topic of FreeRADIUS and EAP TLS.
strange. the EAP-TLS HOWTO seems uite straight forward. everything else is a rewrite of this guide.
For me, I appreciated the tutorial approach of Bauer's article vs something more scripted because it helped me understand what was going on. I hadn't ever set up CAs and certificates before so Bauer's article was better for me, especially Part 1 which laid out the WPA landscape. The EAP-TLS HOWTO was fine, I just didn't get the lay of the land as a background that I needed to understand where I was headed and why.
interesting. we've used pass phrases...stops people just copying the certificate onto any unknown machine.
Indeed it works either way as I found out, so again, not sure what he was referring to in the article.
client p12 file both ways and reimporting to XP's Personal Certificates to no avail. Is that pkcs12 passphrase assertion still true for XP supplicant? Either way, with or without, I can't get this to work, so that must not be the issue.
did you use the extra XP SSL additions as per the EAP-TLS HOWTO?
Yes I had the ASN1 xpextensions all along; that was not the problem as it turned out.
though this seems to suggest that your FreeRADIUS doesnt know much about this certificate. I'd check the eap.conf file
The eap.conf was correct also. I think the problem was that the certs I generated for CA and server weren't in the ssl/certs directory though they were in the raddb/ certs directory. Other than that, I don't think I did anything different between attempts at CA and cert creation when I finally got it working. Definitely didn't change my radiusd.conf, clients.conf or eap.conf files between attempts, so it was definitely cert related. I need to experiment a little more to see where I went wrong the first couple attempts, but all the conf files were correct as I didn't change them between attempts. Thanks, Landon
I think the problem was that the certs I generated for CA and server weren't in the ssl/certs directory though they were in the raddb/ certs directory. Other than that, I don't think I did anything different between attempts at CA and cert creation when I finally got it working. Definitely didn't change my radiusd.conf, clients.conf or eap.conf files between attempts, so it was definitely cert related.
I need to experiment a little more to see where I went wrong the first couple attempts, but all the conf files were correct as I didn't change them between attempts.
Did you do anything differently with your 'random' file and your 'dh' file? Creating those properly (as opposed to the idiotic directions of "date > dh; date > random") seemed to solve my dilemma when I was getting a similar issue to what you were getting. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
On Aug 8, 2005, at 9:18 AM, Kris Benson wrote:
Did you do anything differently with your 'random' file and your 'dh' file?
Creating those properly (as opposed to the idiotic directions of "date > dh; date > random") seemed to solve my dilemma when I was getting a similar issue to what you were getting.
Hi Kris, No, both dh and random stayed as initially generated. I used the Bauer Linux journal article to do that step which used the /dev/ urandom method vs date. I'm going to do some experiments later tonight and see if I can isolate the success factor. Thanks, Landon
On Aug 8, 2005, at 9:39 AM, Landon Cox wrote:
I'm going to do some experiments later tonight and see if I can isolate the success factor.
Back on this topic for a moment...some things I tried to see if I could break the configuration were: 1) remove the certs from the /etc/ssl/certs directory, restart FR, no difference - still hooked up fine since the certs are also in raddb/certs. I decided to generate a client cert for a Mac box and when I imported it into the Keychain of OS X, I noticed "This certificate is not yet valid". I went back and looked at the output of the certificate generation and the "validity Not Before" gave a date/time stamp that was 1 hour future (my timezone setting was off by one hour.) But this made me wonder....was the unknown_ca problem caused by the CA cert having a "Not Valid Before" validity that was in the future from the real time when it was generated and then initially tested? Is this a possible cause for an unknown_ca error? Landon
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Kris Benson -
Landon Cox -
Michael Wang